HackDig : Dig high-quality web security articles for hacker

I was lucky enough to be at the event at which Sean McBride initially spoke about potatoes. Who doesn’t love a good potato? It was actually a succinct outline of a process in agriculture that takes place every day, outlining pinch points of a potato harvester that could illicit physical harm to the workers performing their everyday jobs.

It was a nice metaphor for ‘pinch points’ that could be found in an industrial control system. Rather than a physical pinch point, you could think of aspects in a control network that, if compromised, could illicit catastrophic failures to the process control or regular function of the network. There is a great summary ( https://goo.gl/GsPZ7A ) of the presentation that outlines the main points of the aptly named subversive six unseen risks. This triggered some thoughts about methods to mitigate these six ‘subversive’ or easily and often overlooked risks in an industrial network.

I would like to investigate three of the six outlined: Outdated hardware, Vulnerable Windows OS, and undocumented third-party relationships. I think the first two are fairly obvious, but the third, for me, is always surprising and I think surprising to the customers I engage with. These are the interesting elements seen in a Wireshark capture where you have IP addresses making their way to a PLC network from the office network, or the realization that an HMI computer that ‘can never reach the outside world’ actually has direct access to the Internet (oops). What can be done about these three subversive risks using one foul swoop?

Going back to potatoes and potato harvesting, this process has gone on for thousands of years. Maybe not in such a sophisticated manner as is done now, but it has been active for millennia. On that same paradigm, the act of utilizing defense-in-depth strategies has also existed for millennia and has proven effective.

This is a time-proven protection mechanism that utilizes multiple layers of protection by compartmentalizing certain functions in specific groups. Typically, the more critical the asset, the greater the variety and layers of protection around it contained in specific groups. Think of it this way: the King sits at the highest level in the case of great castles. The interesting thing, to me, is this idea of defense-in-depth developed in distinct cultures that at the time had very little to no communication between one another. Refer to the images above, and you’ll see the same techniques employed in both a castle in Europe and in China.

Okay Erik, so you’ve talked about potatoes and castles. How does this help with the three of six subversive risks?

Luckily, this methodology has evolved into a well-structured (albeit lengthy) specification known as the IEC-62443 specification. Within it is a subsection -3-2 that outlines the usage of Zones and Conduits (i.e. a defense-in-depth structure of your network). This hearkens back to the title; a little organization goes a long way. If we segment these elements into specific zones using firewall technology, we can protect this outdated hardware, (If we do not have the option to upgrade it.) we can segment off these vulnerable Windows OS machines, and most importantly with the correct zoning we can ensure that those PLCs do not have outgoing or egress access from the PLC.

While I only mentioned three of the six outlined by Sean, I believe that by utilizing zones and conduits (defense-in-depth strategy), all six can be mitigated by segmenting your ICS network and leveraging firewall technology to do so.

If you would like to learn more about six key weaknesses that adversaries use to undermine plant operations as well as investigate real-life threat details and mitigation options, join Sean McBride (FireEye), David Meltzer (Tripwire), and me (Erik Schweigert of Tofino Security/Belden) on March 22 for what promises to be an insightful webinar.

About the Author:Erik Schweigert leads the Tofino Engineering team within Belden’s Industrial Cybersecurity platform. He developed the Modbus/TCP, OPC, EtherNet/IP modules and directed the development of the DNP3, and IEC-60870-5-104 deep packet inspection modules for Tofino security products. His areas of expertise include industrial protocol analysis, network security, and secure software development. Schweigert graduated with a Bachelor of Science in Computer Science from Vancouver Island University.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.